Hi Doug,
Thanks for you email. Some recent changes were made to knife-acl to
try to prevent users from accidentally breaking their Chef
organization. But, it appears we were over-zealous and prevented this
use case. This use case is important so we'll look into fixing it so
that it is possible.
Until it is fixed, you can still fix the permissions on a node by
using knife edit /acls/nodes/NODENAME.json.
It would seem that bootstrap is doing something magical that 'knife node from file' is not.
knife node from file is creating the node as your user. By default
the creator of an object gets all permissions on that object. The
bootstrap command creates the client first and then the client is
used to create the node object. Since the client creates the node
object it gets all permissions on that object.
However, I'd prefer not to use bootstrap as this needs to work with autoscaling groups.
Without knowing the details of what your autoscaling group needs to
do, I can't give specific advice. But many autoscaling
implementations use the validator-based bootstrapping with custom node
json fed in via user-data. This doesn't require pre-creating the node
object so the client will end up with the correct permissions. The
custom node json is passed in on the first chef-client run via the
-j flag.
I hope this helps.
Cheers,
Steven
On Tue, Aug 25, 2015 at 7:20 PM, Doug Garstang doug@slice.com wrote:
Running chef client in debug mode shows this:
Initiating PUT to
https://chef-008.dev.foobar.com/organizations/foobar/nodes/dt-ac8c940d.dev.foobar.com
...
HTTP 1.1 403 Forbidden
How do I go about fixing this?
I'm simply adding my node with:
knife node from file dt-ac8c940d.dev.foobar.com.json
and then running the chef-client.
This thread seems to be related:
chef FATAL: Net::HTTPServerException: 403 "Forbidden" · Issue #63 · chef/chef-server · GitHub
However, attempting to use the suggested:
knife acl add nodes dt-ac8c940d.dev.foobar.com update client
dt-ac8c940d.dev.foobar.com
results in:
FATAL: ERROR: To enforce best practice, knife-acl can only add a group to an
ACL.
FATAL: See the knife-acl README for more information.
I've reproduced this multiple times after deleting both the node and the
client and running the knife node from file ... command again.
I've also tried running knife bootstrap, and the problem disappears. It
would seem that bootstrap is doing something magical that 'knife node from
file' is not. However, I'd prefer not to use bootstrap as this needs to work
with autoscaling groups.
Thanks,